On Fri, Feb 07, 2025 at 10:41:34PM +0000, Al Viro wrote: > I'm sorry, but I don't buy the "complete with no lock on directory" > part - not without a verifiable proof of correctness of the locking > scheme. Especially if you are putting rename into the mix. > > And your method prototypes pretty much bake that in. > > *IF* we intend to try going that way (and I'm not at all convinced > that it's feasible - locking aside, there's also a shitload of fun > with fsnotify, audit, etc.), let's make those new methods take > a single argument - something like struct mkdir_args, etc., with > inlines for extracting individual arguments out of that. Yes, it's > ugly, but it allows later changes without a massive headache on > each calling convention modification. > > Said that, an explicit description of locking scheme and a proof of > correctness (at least on the "it can't deadlock" level) is, IMO, > a hard requirement for the entire thing, async or no async. > > We *do* have such for the current locking scheme. While we are at it, the locking order is... interesting. You have * parent's ->i_rwsem before child's d_update_lock() * for a child, d_update_lock() before ->i_rwsem and that - on top of ordering between ->i_rwsem of various inodes. Do you actually have a proof that it's deadlock-free?
